Field
Embodiments presented herein generally relate to techniques for code signing, and more specifically, to techniques for reducing the amount of data exchanged with a cloud based code signing service to sign new files and/or application packages.
Description of Related Art
Many software publishers, whether an individual, organization, company, etc. today provide security when deploying code (or software) to users. Code signing, for example, is frequently employed as a common security tool when deploying code. Code signing generally refers to the process of digitally signing executables and scripts to confirm the identity of the software author and guarantee that the code has not been altered or corrupted since it was signed.
In a typical code signing process, the publisher generates a private-public key pair and submits a request for a code signing certificate to a certificate authority (CA). The publisher includes the public key along with the certificate request. Once received, the CA verifies the identity of the publisher and authenticates the publisher's certificate request. Once verified, the CA issues the code signing certificate, binding the identity of the publisher with the public key. Once the publisher receives the code signing certificate, the publisher can sign the code using its private key. In some cases, the publisher can generate a hash of the code and use the private key to encrypt (or sign) the hash (e.g., using a message-digest algorithm). The publisher may bundle the signed hash, executable code, and certificate into one package. Once an end-user (e.g., individual, enterprise, etc.) receives the package, the end-user can decrypt the signed hash using the public key in the certificate, create a new hash of the executable code using the same hashing algorithm, and compare the new hash with the decrypted hash. If the two hatches match, the executable code is considered valid and can be accepted by the end-user.
In some cases, malicious actors may attempt to exploit the code signing process in order to obtain code signing certificates from trusted CAs. For example, malicious actors may attempt to gain access to end users private keys (e.g., via Trojan horses, or other malware). Once the private keys are comprised, the certificates can be used to sign malware in attempt to make the malware appear as if it comes from a legitimate software publisher.
Due, in part, to these concerns, users who want to distribute (or publish) signed code increasingly rely on cloud-based services to perform code signing. Such cloud-based code signing services, for example, generally allow users to upload code that the user wants to code sign. In response to receiving the code, the cloud-based code signing service can sign the code (e.g., in the cloud) and return the signed code to the user. In some cases, the cloud-based code signing service can store one or more private/public key pairs for a given user. The user can request that the cloud-based code signing service use a particular key pair to sign the code. By moving the management of private/public keys away from users to the cloud, cloud-based code signing services can reduce the risk of malicious actors comprising keys used to code sign software.